How do I report a security issue?

Previously fixed security issues are listed in the Moodle.org Security news. If you are unsure whether a problem has been fixed or not, it's best to report it anyway.

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. It is safe to upgrade to a more recent version on the branch you are using, say from Moodle 2.X.1 to the latest version on the 2.X branch. Downloading via Git makes it very easy way to do this.

How do I keep track of recent security issues?

Register your Moodle site with moodle.org, making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.

Copy and paste the public and private keys provided into the recaptchapublickey and recaptchaprivatekey fields in the manage authentication common settings in Administration > Plugins > Authentication > Manage authentication.

How can I run the security overview report?

I have discovered Cross Site Scripting (XSS) is possible with Moodle

Some forms of rich content used by teachers to enhance their courses use the same technologies that malicious users can use for cross-site scripting attacks. If Moodle was solely concerned with security, it would not allow this. However, Moodle is also concerned with education and so a balance has to be struck between securing the system and supporting teachers with their needs.

In order to strike a balance between authoring rich educational content and securing the system, access to post XSS-capable content is controlled by capabilites flagged with the 'XSS risk' - see Risks. In general this means that admins and teachers can post XSS-capable content, but students can not - see XSS_trusted_users.

Occasionally security bugs are discovered in Moodle's handling of XSS capable content and we are greatful to the community for reporting these through responsible disclosure. Before reporting an XSS bug to Moodle, please ensure that the user posting the XSS content does not have capabilities flagged with the XSS risk.